Disable Hard Match Takeover in Microsoft Entra Connect
Ensure that the hard match feature is turned off to prevent unauthorised access in Microsoft Entra Connect servers.
Plain language
This control is about making sure a specific feature called hard match takeover in Microsoft Entra Connect is turned off. This is important because having it on could let someone gain control of user accounts without permission, putting your business data at risk.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
Server application hardeningTopic
Microsoft Entra ConnectOfficial control statement
Hard match takeover is disabled for Microsoft Entra Connect servers.
Why it matters
If hard match takeover is enabled in Entra Connect, attackers can take over synced identities by matching on-premises accounts to cloud users.
Operational notes
Periodically confirm the Entra Connect setting for hard match takeover remains disabled after upgrades, config changes or server rebuilds.
Implementation tips
- IT team should review Microsoft Entra Connect settings to ensure hard match takeover is disabled. They can do this by logging into the Microsoft Entra admin portal and checking the synchronisation settings.
- System owner should verify with the IT team that the hard match feature is turned off in all Microsoft Entra Connect instances. This can be done through a report from the IT team that confirms this setting is off.
- Office manager should organise a regular review schedule with the IT team to check the status of Microsoft Entra Connect settings. This could be done quarterly and documented to ensure that the correct configurations remain in place.
- Managers should ensure that staff responsible for managing Microsoft Entra Connect are properly trained. Training sessions can be organised to cover the disabling of hard match takeover and understanding its implications.
- Procurement or IT purchasing team should confirm that any third-party tools integrating with Microsoft Entra Connect have alignment with settings that keep hard match takeover disabled. Research and discussions with vendors can help ensure compliance with this setting.
Audit / evidence tips
-
Aska configuration report from Microsoft Entra Connect: Request a document showing current settings, especially for hard match takeover
Goodis a report showing the feature is off with a recent audit date
-
Asktraining records for staff responsible for Microsoft Entra Connect: Request documents that evidence relevant training sessions were attended
Goodincludes completed training sessions on the specific settings
-
Askan access log detailing recent changes to Microsoft Entra Connect settings: Request a log file or record of changes in the system
Goodwould show a recorded action with a staff member's name and date
-
Askregular review meeting minutes: Request documentation from scheduled IT review meetings discussing Microsoft Entra Connect settings
Goodwould be meeting minutes that explicitly cover and confirm the setting
-
Askvendor compliance reports for related tools: Request documents showing third-party tools' settings align with Microsoft Entra security practices
Goodconfirms that vendors disable conflicting settings
Cross-framework mappings
How ISM-1951 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 5.16 | ISM-1951 requires that hard match takeover is disabled on Microsoft Entra Connect servers to prevent unauthorised account takeover via id... | |
| Annex A 8.9 | ISM-1951 requires a specific security configuration: hard match takeover must be disabled on Microsoft Entra Connect servers | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.